[autofs] - add some Coverity identified fixes for bug 1078776.
Ian Kent
iankent at fedoraproject.org
Mon Jul 7 04:08:02 UTC 2014
commit ff6f3ee6ef3c1ba9ecf3b4b619294bd00ff02d95
Author: Ian Kent <ikent at redhat.com>
Date: Mon Jul 7 12:07:07 2014 +0800
- add some Coverity identified fixes for bug 1078776.
...ILE-pointer-check-in-defaults_read_config.patch | 82 ++
...x-memory-leak-in-conf_amd_get_log_options.patch | 34 +
...0.8-allow-with-systemd-to-take-a-path-arg.patch | 62 --
...p-update-lookup-hesiod-to-handle-amd-keys.patch | 423 ---------
...kup-update-lookup-ldap-to-handle-amd-keys.patch | 954 --------------------
autofs-5.0.8-fix-WITH_LIBTIRPC-function-name.patch | 49 -
...fix-allow-with-systemd-to-take-a-path-arg.patch | 37 -
autofs-5.0.8-fix-fix-ipv6-libtirpc-getport.patch | 34 -
...8-fix-ipv6-libtirpc-getport-proto-not-set.patch | 32 -
autofs-5.0.8-fix-ipv6-libtirpc-getport.patch | 345 -------
....0.8-fix-ipv6-link-local-address-handling.patch | 41 -
autofs-5.0.8-fix-master-map-type-check.patch | 58 --
autofs-5.0.8-fix-portmap-not-trying-proto-v2.patch | 59 --
...0.8-fix-task-manager-not-getting-signaled.patch | 47 -
...ed-authtype_requires_creds-err-if-ldap-en.patch | 52 --
...uld-query-portmapper-if-port-is-not-given.patch | 31 -
...existent-negative-entries-in-lookup_ghost.patch | 64 --
....9-fix-race-accessing-qdn-in-get_query_dn.patch | 52 ++
...d-return-check-in-ldap-check_map_indirect.patch | 72 ++
autofs-5.1.0-add-serialization-to-sasl-init.patch | 96 ++
autofs-5.1.0-beta1-fix-wildcard-key-lookup.patch | 170 ----
....1.0-check-amd-lex-buffer-len-before-copy.patch | 192 ++++
...-5.1.0-check-host-macro-is-set-before-use.patch | 38 +
...-options-length-before-use-in-parse_amd_c.patch | 87 ++
...5.1.0-dont-allocate-dev_ctl_ops-too-early.patch | 87 ++
...ffer-size-checks-in-get_network_proximity.patch | 56 ++
...0-fix-buffer-size-checks-in-merge_options.patch | 109 +++
autofs-5.1.0-fix-compile-error-in-defaults_c.patch | 35 +
...-fix-config-entry-read-buffer-not-checked.patch | 49 +
...opy-and-paste-error-in-dup_defaults_entry.patch | 35 +
...-fix-incorrect-round-robin-host-detection.patch | 35 +
autofs-5.1.0-fix-leak-in-cache_push_mapent.patch | 36 +
...s-5.1.0-fix-leak-in-get_network_proximity.patch | 39 +
autofs-5.1.0-fix-leak-in-parse_mount.patch | 36 +
....0-fix-signed-comparison-in-inet_fill_net.patch | 36 +
...e-out-of-order-evaluations-in-parse_amd_c.patch | 107 +++
autofs.spec | 63 ++-
37 files changed, 1375 insertions(+), 2459 deletions(-)
---
diff --git a/autofs-5.0.1-fix-FILE-pointer-check-in-defaults_read_config.patch b/autofs-5.0.1-fix-FILE-pointer-check-in-defaults_read_config.patch
new file mode 100644
index 0000000..c69ef73
--- /dev/null
+++ b/autofs-5.0.1-fix-FILE-pointer-check-in-defaults_read_config.patch
@@ -0,0 +1,82 @@
+autofs-5.0.1 - fix FILE pointer check in defaults_read_config()
+
+From: Ian Kent <raven at themaw.net>
+
+Fix possible use after free usage of FILE pointer in defaults_read_config().
+---
+ CHANGELOG | 1 +
+ lib/defaults.c | 15 +++++++--------
+ 2 files changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/CHANGELOG b/CHANGELOG
+index 21c3ecd..d978529 100644
+--- a/CHANGELOG
++++ b/CHANGELOG
+@@ -7,6 +7,7 @@
+ - fix race accessing qdn in get_query_dn().
+ - fix leak in cache_push_mapent().
+ - fix config entry read buffer not checked.
++- fix FILE pointer check in defaults_read_config().
+
+ 04/06/2014 autofs-5.1.0
+ =======================
+diff --git a/lib/defaults.c b/lib/defaults.c
+index a83dcee..1c3df56 100644
+--- a/lib/defaults.c
++++ b/lib/defaults.c
+@@ -1056,6 +1056,8 @@ unsigned int defaults_read_config(unsigned int to_syslog)
+
+ ret = 1;
+
++ conf = oldconf = NULL;
++
+ pthread_mutex_lock(&conf_mutex);
+ if (!config) {
+ if (conf_init()) {
+@@ -1082,15 +1084,11 @@ unsigned int defaults_read_config(unsigned int to_syslog)
+ stb.st_mtime <= config->modified &&
+ (oldstat = fstat(fileno(oldconf), &oldstb) == -1) &&
+ oldstb.st_mtime <= config->modified) {
+- fclose(conf);
+- fclose(oldconf);
+ goto out;
+ }
+
+ if (conf || oldconf) {
+ if (!reset_defaults(to_syslog)) {
+- fclose(conf);
+- fclose(oldconf);
+ ret = 0;
+ goto out;
+ }
+@@ -1108,10 +1106,8 @@ unsigned int defaults_read_config(unsigned int to_syslog)
+ }
+ }
+
+- if (conf) {
++ if (conf)
+ read_config(to_syslog, conf, DEFAULT_CONFIG_FILE);
+- fclose(conf);
+- }
+
+ /*
+ * Read the old config file and override the installed
+@@ -1132,7 +1128,6 @@ unsigned int defaults_read_config(unsigned int to_syslog)
+ clean_ldap_multi_option(NAME_LDAP_URI);
+
+ read_config(to_syslog, oldconf, OLD_CONFIG_FILE);
+- fclose(oldconf);
+
+ if (ldap_search_base) {
+ co = conf_lookup(sec, NAME_SEARCH_BASE);
+@@ -1151,6 +1146,10 @@ unsigned int defaults_read_config(unsigned int to_syslog)
+ }
+ }
+ out:
++ if (conf)
++ fclose(conf);
++ if (oldconf)
++ fclose(oldconf);
+ pthread_mutex_unlock(&conf_mutex);
+ return ret;
+ }
diff --git a/autofs-5.0.1-fix-memory-leak-in-conf_amd_get_log_options.patch b/autofs-5.0.1-fix-memory-leak-in-conf_amd_get_log_options.patch
new file mode 100644
index 0000000..7809b51
--- /dev/null
+++ b/autofs-5.0.1-fix-memory-leak-in-conf_amd_get_log_options.patch
@@ -0,0 +1,34 @@
+autofs-5.0.1 - fix memory leak in conf_amd_get_log_options()
+
+From: Ian Kent <raven at themaw.net>
+
+Fix obvious memory leak in conf_amd_get_log_options().
+---
+ CHANGELOG | 1 +
+ lib/defaults.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/CHANGELOG b/CHANGELOG
+index d978529..f5bbb34 100644
+--- a/CHANGELOG
++++ b/CHANGELOG
+@@ -8,6 +8,7 @@
+ - fix leak in cache_push_mapent().
+ - fix config entry read buffer not checked.
+ - fix FILE pointer check in defaults_read_config().
++- fix memory leak in conf_amd_get_log_options().
+
+ 04/06/2014 autofs-5.1.0
+ =======================
+diff --git a/lib/defaults.c b/lib/defaults.c
+index 1c3df56..4e09c19 100644
+--- a/lib/defaults.c
++++ b/lib/defaults.c
+@@ -1795,6 +1795,7 @@ unsigned int conf_amd_get_log_options(void)
+ if (log_level < LOG_CRIT)
+ log_level = LOG_CRIT;
+ }
++ free(tmp);
+ }
+
+ if (log_level == -1)
diff --git a/autofs-5.0.9-fix-race-accessing-qdn-in-get_query_dn.patch b/autofs-5.0.9-fix-race-accessing-qdn-in-get_query_dn.patch
new file mode 100644
index 0000000..6cdf18f
--- /dev/null
+++ b/autofs-5.0.9-fix-race-accessing-qdn-in-get_query_dn.patch
@@ -0,0 +1,52 @@
+autofs-5.0.9 - fix race accessing qdn in get_query_dn()
+
+From: Ian Kent <raven at themaw.net>
+
+Fix a couple of obvious problems in get_query_dn().
+
+First, check dn is not NULL before attempting to duplicate it.
+And also protect the update of qdn in the context by a mutex.
+---
+ CHANGELOG | 1 +
+ modules/lookup_ldap.c | 9 ++++++---
+ 2 files changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/CHANGELOG b/CHANGELOG
+index 1b4e2fe..e911682 100644
+--- a/CHANGELOG
++++ b/CHANGELOG
+@@ -4,6 +4,7 @@
+ - add serialization to sasl init.
+ - dont allocate dev_ctl_ops too early.
+ - fix incorrect round robin host detection.
++- fix race accessing qdn in get_query_dn().
+
+ 04/06/2014 autofs-5.1.0
+ =======================
+diff --git a/modules/lookup_ldap.c b/modules/lookup_ldap.c
+index aca3e05..5c16063 100644
+--- a/modules/lookup_ldap.c
++++ b/modules/lookup_ldap.c
+@@ -461,16 +461,19 @@ static int get_query_dn(unsigned logopt, LDAP *ldap, struct lookup_context *ctxt
+ }
+
+ free(query);
+- qdn = strdup(dn);
+- ldap_memfree(dn);
++ if (dn) {
++ qdn = strdup(dn);
++ ldap_memfree(dn);
++ }
+ ldap_msgfree(result);
+ if (!qdn)
+ return 0;
+
++ uris_mutex_lock(ctxt);
+ if (ctxt->qdn)
+ free(ctxt->qdn);
+-
+ ctxt->qdn = qdn;
++ uris_mutex_unlock(ctxt);
+
+ return 1;
+ }
diff --git a/autofs-5.1.0-add-return-check-in-ldap-check_map_indirect.patch b/autofs-5.1.0-add-return-check-in-ldap-check_map_indirect.patch
new file mode 100644
index 0000000..14f766e
--- /dev/null
+++ b/autofs-5.1.0-add-return-check-in-ldap-check_map_indirect.patch
@@ -0,0 +1,72 @@
+autofs-5.1.0 - add return check in ldap check_map_indirect()
+
+From: Ian Kent <ikent at redhat.com>
+
+Fix not checking return from pthread_mutex_lock/pthread_mutex_unlock in
+modules/lookup_ldap.c:check_map_indirect().
+---
+ CHANGELOG | 1 +
+ modules/lookup_ldap.c | 17 +++++++++++++----
+ 2 files changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/CHANGELOG b/CHANGELOG
+index dfbaeb1..d7d161f 100644
+--- a/CHANGELOG
++++ b/CHANGELOG
+@@ -14,6 +14,7 @@
+ - fix leak in get_network_proximity().
+ - fix buffer size checks in merge_options().
+ - check amd lex buffer len before copy.
++- add return check in ldap check_map_indirect().
+
+ 04/06/2014 autofs-5.1.0
+ =======================
+diff --git a/modules/lookup_ldap.c b/modules/lookup_ldap.c
+index 5c16063..ac2ef30 100644
+--- a/modules/lookup_ldap.c
++++ b/modules/lookup_ldap.c
+@@ -3420,12 +3420,15 @@ static int check_map_indirect(struct autofs_point *ap,
+ time_t now = time(NULL);
+ time_t t_last_read;
+ int ret, cur_state;
++ int status;
+
+ mc = source->mc;
+
+ pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, &cur_state);
+
+- pthread_mutex_lock(&ap->entry->current_mutex);
++ status = pthread_mutex_lock(&ap->entry->current_mutex);
++ if (status)
++ fatal(status);
+ if (is_amd_format) {
+ unsigned long timestamp = get_amd_timestamp(ctxt);
+ if (timestamp > ctxt->timestamp) {
+@@ -3445,7 +3448,9 @@ static int check_map_indirect(struct autofs_point *ap,
+ ctxt->check_defaults = 0;
+ }
+ }
+- pthread_mutex_unlock(&ap->entry->current_mutex);
++ status = pthread_mutex_unlock(&ap->entry->current_mutex);
++ if (status)
++ fatal(status);
+
+ ret = match_key(ap, source, key, key_len, ctxt);
+ if (ret == CHE_FAIL) {
+@@ -3490,10 +3495,14 @@ static int check_map_indirect(struct autofs_point *ap,
+ }
+ cache_unlock(mc);
+
+- pthread_mutex_lock(&ap->entry->current_mutex);
++ status = pthread_mutex_lock(&ap->entry->current_mutex);
++ if (status)
++ fatal(status);
+ if (t_last_read > ap->exp_runfreq && ret & CHE_UPDATED)
+ source->stale = 1;
+- pthread_mutex_unlock(&ap->entry->current_mutex);
++ status = pthread_mutex_unlock(&ap->entry->current_mutex);
++ if (status)
++ fatal(status);
+ }
+
+ cache_readlock(mc);
diff --git a/autofs-5.1.0-add-serialization-to-sasl-init.patch b/autofs-5.1.0-add-serialization-to-sasl-init.patch
new file mode 100644
index 0000000..f2607a5
--- /dev/null
+++ b/autofs-5.1.0-add-serialization-to-sasl-init.patch
@@ -0,0 +1,96 @@
+autofs-5.1.0 - add serialization to sasl init
+
+From: Ian Kent <ikent at redhat.com>
+
+Attempt to resolve crash in sasl initialization. We know that the
+initial connection calls to connect to an LDAP server are not
+thread safe and it looks like the sasl code doesn't take that into
+consideration so adding serialization with a mutex is probably a
+sensible thing to do.
+---
+ CHANGELOG | 1 +
+ modules/lookup_ldap.c | 13 +++++++++++++
+ 2 files changed, 14 insertions(+)
+
+diff --git a/CHANGELOG b/CHANGELOG
+index 58b94dc..92ee83b 100644
+--- a/CHANGELOG
++++ b/CHANGELOG
+@@ -1,6 +1,7 @@
+ ??/??/2014 autofs-5.1.1
+ =======================
+ - fix compile error in defaults.c.
++- add serialization to sasl init.
+
+ 04/06/2014 autofs-5.1.0
+ =======================
+diff --git a/modules/lookup_ldap.c b/modules/lookup_ldap.c
+index 8091ed2..aca3e05 100644
+--- a/modules/lookup_ldap.c
++++ b/modules/lookup_ldap.c
+@@ -578,7 +578,9 @@ static int do_bind(unsigned logopt, LDAP *ldap, const char *uri, struct lookup_c
+ ctxt->auth_required, ctxt->sasl_mech);
+
+ if (ctxt->auth_required & LDAP_NEED_AUTH) {
++ ldapinit_mutex_lock();
+ rv = autofs_sasl_bind(logopt, ldap, ctxt);
++ ldapinit_mutex_unlock();
+ debug(logopt, MODPREFIX "autofs_sasl_bind returned %d", rv);
+ } else {
+ rv = bind_ldap_simple(logopt, ldap, uri, ctxt);
+@@ -922,7 +924,9 @@ static LDAP *do_reconnect(unsigned logopt, struct lookup_context *ctxt)
+ #ifdef WITH_SASL
+ /* Dispose of the sasl authentication connection and try again. */
+ if (!ldap && ctxt->auth_required & LDAP_NEED_AUTH) {
++ ldapinit_mutex_lock();
+ autofs_sasl_dispose(ctxt);
++ ldapinit_mutex_unlock();
+ ldap = connect_to_server(logopt, ctxt->server, ctxt);
+ }
+ #endif
+@@ -958,7 +962,9 @@ static LDAP *do_reconnect(unsigned logopt, struct lookup_context *ctxt)
+ * current server again before trying other servers in the list.
+ */
+ if (!ldap && ctxt->auth_required & LDAP_NEED_AUTH) {
++ ldapinit_mutex_lock();
+ autofs_sasl_dispose(ctxt);
++ ldapinit_mutex_unlock();
+ ldap = connect_to_server(logopt, ctxt->uri->uri, ctxt);
+ }
+ #endif
+@@ -969,7 +975,9 @@ static LDAP *do_reconnect(unsigned logopt, struct lookup_context *ctxt)
+
+ find_server:
+ #ifdef WITH_SASL
++ ldapinit_mutex_lock();
+ autofs_sasl_dispose(ctxt);
++ ldapinit_mutex_unlock();
+ #endif
+
+ /* Current server failed, try the rest or dc connection */
+@@ -1742,11 +1750,14 @@ int lookup_init(const char *mapfmt, int argc, const char *const *argv, void **co
+
+ #ifdef WITH_SASL
+ /* Init the sasl callbacks */
++ ldapinit_mutex_lock();
+ if (!autofs_sasl_client_init(LOGOPT_NONE)) {
+ error(LOGOPT_ANY, "failed to init sasl client");
++ ldapinit_mutex_unlock();
+ free_context(ctxt);
+ return 1;
+ }
++ ldapinit_mutex_unlock();
+ #endif
+
+ if (is_amd_format)
+@@ -3678,8 +3689,10 @@ int lookup_done(void *context)
+ struct lookup_context *ctxt = (struct lookup_context *) context;
+ int rv = close_parse(ctxt->parse);
+ #ifdef WITH_SASL
++ ldapinit_mutex_lock();
+ autofs_sasl_dispose(ctxt);
+ autofs_sasl_done();
++ ldapinit_mutex_unlock();
+ #endif
+ free_context(ctxt);
+ return rv;
diff --git a/autofs-5.1.0-check-amd-lex-buffer-len-before-copy.patch b/autofs-5.1.0-check-amd-lex-buffer-len-before-copy.patch
new file mode 100644
index 0000000..43bbfda
--- /dev/null
+++ b/autofs-5.1.0-check-amd-lex-buffer-len-before-copy.patch
@@ -0,0 +1,192 @@
+autofs-5.1.0 - check amd lex buffer len before copy
+
+From: Ian Kent <ikent at redhat.com>
+
+Guard against lex to yacc communication buffer overflow.
+---
+ CHANGELOG | 1 +
+ modules/amd_tok.l | 49 +++++++++++++++++++++++++++++++------------------
+ 2 files changed, 32 insertions(+), 18 deletions(-)
+
+diff --git a/CHANGELOG b/CHANGELOG
+index 840e099..dfbaeb1 100644
+--- a/CHANGELOG
++++ b/CHANGELOG
+@@ -13,6 +13,7 @@
+ - fix buffer size checks in get_network_proximity().
+ - fix leak in get_network_proximity().
+ - fix buffer size checks in merge_options().
++- check amd lex buffer len before copy.
+
+ 04/06/2014 autofs-5.1.0
+ =======================
+diff --git a/modules/amd_tok.l b/modules/amd_tok.l
+index 5664f67..1d9c234 100644
+--- a/modules/amd_tok.l
++++ b/modules/amd_tok.l
+@@ -22,6 +22,7 @@
+ # undef ECHO
+ #endif
+ static void amd_echo(void); /* forward definition */
++static void amd_copy_buffer(void);
+ #define ECHO amd_echo()
+ int amd_wrap(void);
+
+@@ -125,26 +126,26 @@ CUTSEP (\|\||\/)
+
+ {MAPOPT} {
+ BEGIN(MAPOPTVAL);
+- strcpy(amd_lval.strtype, amd_text);
++ amd_copy_buffer();
+ return MAP_OPTION;
+
+ }
+
+ {FSOPTS} {
+ BEGIN(FSOPTVAL);
+- strcpy(amd_lval.strtype, amd_text);
++ amd_copy_buffer();
+ return FS_OPTION;
+ }
+
+ {MNTOPT} {
+ BEGIN(MNTOPTVAL);
+- strcpy(amd_lval.strtype, amd_text);
++ amd_copy_buffer();
+ return MNT_OPTION;
+ }
+
+ {SELOPT} {
+ BEGIN(SELOPTVAL);
+- strcpy(amd_lval.strtype, amd_text);
++ amd_copy_buffer();
+ return SELECTOR;
+ }
+
+@@ -152,13 +153,13 @@ CUTSEP (\|\||\/)
+
+ {SEL1ARG} {
+ BEGIN(SELARGVAL);
+- strcpy(amd_lval.strtype, amd_text);
++ amd_copy_buffer();
+ return SELECTOR;
+ }
+
+ {SEL2ARG} {
+ BEGIN(SELARGVAL);
+- strcpy(amd_lval.strtype, amd_text);
++ amd_copy_buffer();
+ return SELECTOR;
+ }
+
+@@ -171,7 +172,7 @@ CUTSEP (\|\||\/)
+ #.* { return COMMENT; }
+
+ {OTHR} {
+- strcpy(amd_lval.strtype, amd_text);
++ amd_copy_buffer();
+ return OTHER;
+ }
+ }
+@@ -201,22 +202,22 @@ CUTSEP (\|\||\/)
+ ":=" { return OPTION_ASSIGN; }
+
+ {FSTYPE} {
+- strcpy(amd_lval.strtype, amd_text);
++ amd_copy_buffer();
+ return FS_TYPE;
+ }
+
+ {MAPTYPE} {
+- strcpy(amd_lval.strtype, amd_text);
++ amd_copy_buffer();
+ return MAP_TYPE;
+ }
+
+ {CHEOPT} {
+- strcpy(amd_lval.strtype, amd_text);
++ amd_copy_buffer();
+ return CACHE_OPTION;
+ }
+
+ {FOPT} {
+- strcpy(amd_lval.strtype, amd_text);
++ amd_copy_buffer();
+ return FS_OPT_VALUE;
+ }
+ }
+@@ -246,7 +247,7 @@ CUTSEP (\|\||\/)
+ ":=" { return OPTION_ASSIGN; }
+
+ {FOPT} {
+- strcpy(amd_lval.strtype, amd_text);
++ amd_copy_buffer();
+ return FS_OPT_VALUE;
+ }
+ }
+@@ -278,7 +279,7 @@ CUTSEP (\|\||\/)
+ "," { return COMMA; }
+
+ {OPTS} {
+- strcpy(amd_lval.strtype, amd_text);
++ amd_copy_buffer();
+ return OPTION;
+ }
+ }
+@@ -310,7 +311,7 @@ CUTSEP (\|\||\/)
+ "!=" { return NOT_EQUAL; }
+
+ {SOPT} {
+- strcpy(amd_lval.strtype, amd_text);
++ amd_copy_buffer();
+ return SELECTOR_VALUE;
+ }
+ }
+@@ -335,24 +336,24 @@ CUTSEP (\|\||\/)
+ "(" { return LBRACKET; }
+
+ {NOPT} {
+- strcpy(amd_lval.strtype, amd_text);
++ amd_copy_buffer();
+ return SEL_ARG_VALUE;
+ }
+
+ {SOPT}/"," {
+- strcpy(amd_lval.strtype, amd_text);
++ amd_copy_buffer();
+ return SEL_ARG_VALUE;
+ }
+
+ "," { return COMMA; }
+
+ {SOPT} {
+- strcpy(amd_lval.strtype, amd_text);
++ amd_copy_buffer();
+ return SEL_ARG_VALUE;
+ }
+
+ {FOPT} {
+- strcpy(amd_lval.strtype, amd_text);
++ amd_copy_buffer();
+ return SEL_ARG_VALUE;
+ }
+
+@@ -368,6 +369,18 @@ int amd_wrap(void)
+ return 1;
+ }
+
++static void amd_copy_buffer(void)
++{
++ if (amd_leng < 2048)
++ strcpy(amd_lval.strtype, amd_text);
++ else {
++ strncpy(amd_lval.strtype, amd_text, 2047);
++ amd_lval.strtype[2047] = '\0';
++ logmsg("warning: truncated option near %s\n",
++ &amd_lval.strtype[2030]);
++ }
++}
++
+ static void amd_echo(void)
+ {
+ logmsg("%s\n", amd_text);
diff --git a/autofs-5.1.0-check-host-macro-is-set-before-use.patch b/autofs-5.1.0-check-host-macro-is-set-before-use.patch
new file mode 100644
index 0000000..67773d4
--- /dev/null
+++ b/autofs-5.1.0-check-host-macro-is-set-before-use.patch
@@ -0,0 +1,38 @@
+autofs-5.1.0 - check host macro is set before use
+
+From: Ian Kent <ikent at redhat.com>
+
+Check marco lookup return for ${host} in match_my_name() before using it.
+---
+ CHANGELOG | 1 +
+ modules/parse_amd.c | 5 +++++
+ 2 files changed, 6 insertions(+)
+
+diff --git a/CHANGELOG b/CHANGELOG
+index d7d161f..20290fc 100644
+--- a/CHANGELOG
++++ b/CHANGELOG
+@@ -15,6 +15,7 @@
+ - fix buffer size checks in merge_options().
+ - check amd lex buffer len before copy.
+ - add return check in ldap check_map_indirect().
++- check host macro is set before use.
+
+ 04/06/2014 autofs-5.1.0
+ =======================
+diff --git a/modules/parse_amd.c b/modules/parse_amd.c
+index 26d01ed..25fe4aa 100644
+--- a/modules/parse_amd.c
++++ b/modules/parse_amd.c
+@@ -238,6 +238,11 @@ static int match_my_name(unsigned int logopt, const char *name, struct substvar
+ return 1;
+ }
+
++ if (!v || !v->val) {
++ error(logopt, "error: ${host} not set");
++ goto out;
++ }
++
+ /* Check if comparison value is an alias */
+
+ memset(&hints, 0, sizeof(hints));
diff --git a/autofs-5.1.0-check-options-length-before-use-in-parse_amd_c.patch b/autofs-5.1.0-check-options-length-before-use-in-parse_amd_c.patch
new file mode 100644
index 0000000..be3872e
--- /dev/null
+++ b/autofs-5.1.0-check-options-length-before-use-in-parse_amd_c.patch
@@ -0,0 +1,87 @@
+autofs-5.1.0 - check options length before use in parse_amd.c
+
+From: Ian Kent <ikent at redhat.com>
+
+Check for temporary buffer overflow before copy at several places in
+modules/parse_amd.c.
+---
+ CHANGELOG | 1 +
+ modules/parse_amd.c | 36 ++++++++++++++++++++++++++++++++----
+ 2 files changed, 33 insertions(+), 4 deletions(-)
+
+diff --git a/CHANGELOG b/CHANGELOG
+index 20290fc..81aadca 100644
+--- a/CHANGELOG
++++ b/CHANGELOG
+@@ -16,6 +16,7 @@
+ - check amd lex buffer len before copy.
+ - add return check in ldap check_map_indirect().
+ - check host macro is set before use.
++- check options length before use in parse_amd.c.
+
+ 04/06/2014 autofs-5.1.0
+ =======================
+diff --git a/modules/parse_amd.c b/modules/parse_amd.c
+index 25fe4aa..6764152 100644
+--- a/modules/parse_amd.c
++++ b/modules/parse_amd.c
+@@ -906,9 +906,20 @@ static int do_auto_mount(struct autofs_point *ap, const char *name,
+ {
+ char target[PATH_MAX + 1];
+
+- if (!entry->map_type)
++ if (!entry->map_type) {
++ if (strlen(entry->fs) > PATH_MAX) {
++ error(ap->logopt, MODPREFIX
++ "error: fs option length is too long");
++ return 0;
++ }
+ strcpy(target, entry->fs);
+- else {
++ } else {
++ if (strlen(entry->fs) +
++ strlen(entry->map_type) + 5 > PATH_MAX) {
++ error(ap->logopt, MODPREFIX
++ "error: fs + maptype options length is too long");
++ return 0;
++ }
+ strcpy(target, entry->map_type);
+ strcat(target, ",amd:");
+ strcat(target, entry->fs);
+@@ -925,10 +936,21 @@ static int do_link_mount(struct autofs_point *ap, const char *name,
+ const char *opts = (entry->opts && *entry->opts) ? entry->opts : NULL;
+ int ret;
+
+- if (entry->sublink)
++ if (entry->sublink) {
++ if (strlen(entry->sublink) > PATH_MAX) {
++ error(ap->logopt, MODPREFIX
++ "error: sublink option length is too long");
++ return 0;
++ }
+ strcpy(target, entry->sublink);
+- else
++ } else {
++ if (strlen(entry->fs) > PATH_MAX) {
++ error(ap->logopt, MODPREFIX
++ "error: fs option length is too long");
++ return 0;
++ }
+ strcpy(target, entry->fs);
++ }
+
+ if (!(flags & CONF_AUTOFS_USE_LOFS))
+ goto symlink;
+@@ -1017,6 +1039,12 @@ static int do_nfs_mount(struct autofs_point *ap, const char *name,
+ unsigned int umount = 0;
+ int ret = 0;
+
++ if (strlen(entry->rhost) + strlen(entry->rfs) + 1 > PATH_MAX) {
++ error(ap->logopt, MODPREFIX
++ "error: rhost + rfs options length is too long");
++ return 0;
++ }
++
+ strcpy(target, entry->rhost);
+ strcat(target, ":");
+ strcat(target, entry->rfs);
diff --git a/autofs-5.1.0-dont-allocate-dev_ctl_ops-too-early.patch b/autofs-5.1.0-dont-allocate-dev_ctl_ops-too-early.patch
new file mode 100644
index 0000000..69b846f
--- /dev/null
+++ b/autofs-5.1.0-dont-allocate-dev_ctl_ops-too-early.patch
@@ -0,0 +1,87 @@
+autofs-5.1.0 - dont allocate dev_ctl_ops too early
+
+From: Ian Kent <raven at themaw.net>
+
+If the standard io file descriptors have been closed by the cloning
+process the file handle for autofs device control can correspond to
+a descriptor number of one of the standard io descriptors which will
+be closed when the process is daemonized.
+
+Avoid this by closing the device control descriptor opened when
+performing sanity checks at startup so that it can be opened
+on a higher numbered file descriptor after the process has switched
+to daemon mode.
+---
+ CHANGELOG | 1 +
+ lib/mounts.c | 14 +++++++++++++-
+ 2 files changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/CHANGELOG b/CHANGELOG
+index 92ee83b..ece8c5c 100644
+--- a/CHANGELOG
++++ b/CHANGELOG
+@@ -2,6 +2,7 @@
+ =======================
+ - fix compile error in defaults.c.
+ - add serialization to sasl init.
++- dont allocate dev_ctl_ops too early.
+
+ 04/06/2014 autofs-5.1.0
+ =======================
+diff --git a/lib/mounts.c b/lib/mounts.c
+index c9e1237..f635371 100644
+--- a/lib/mounts.c
++++ b/lib/mounts.c
+@@ -90,7 +90,7 @@ unsigned int linux_version_code(void)
+
+ unsigned int query_kproto_ver(void)
+ {
+- struct ioctl_ops *ops = get_ioctl_ops();
++ struct ioctl_ops *ops;
+ char dir[] = "/tmp/autoXXXXXX", *t_dir;
+ char options[MAX_OPTIONS_LEN + 1];
+ pid_t pgrp = getpgrp();
+@@ -131,10 +131,19 @@ unsigned int query_kproto_ver(void)
+ return 0;
+ }
+
++ ops = get_ioctl_ops();
++ if (!ops) {
++ umount(t_dir);
++ close(pipefd[0]);
++ rmdir(t_dir);
++ return 0;
++ }
++
+ ops->open(LOGOPT_NONE, &ioctlfd, st.st_dev, t_dir);
+ if (ioctlfd == -1) {
+ umount(t_dir);
+ close(pipefd[0]);
++ close_ioctl_ctl();
+ rmdir(t_dir);
+ return 0;
+ }
+@@ -146,6 +155,7 @@ unsigned int query_kproto_ver(void)
+ ops->close(LOGOPT_NONE, ioctlfd);
+ umount(t_dir);
+ close(pipefd[0]);
++ close_ioctl_ctl();
+ rmdir(t_dir);
+ return 0;
+ }
+@@ -155,6 +165,7 @@ unsigned int query_kproto_ver(void)
+ ops->close(LOGOPT_NONE, ioctlfd);
+ umount(t_dir);
+ close(pipefd[0]);
++ close_ioctl_ctl();
+ rmdir(t_dir);
+ return 0;
+ }
+@@ -162,6 +173,7 @@ unsigned int query_kproto_ver(void)
+ ops->close(LOGOPT_NONE, ioctlfd);
+ umount(t_dir);
+ close(pipefd[0]);
++ close_ioctl_ctl();
+ rmdir(t_dir);
+
+ return 1;
diff --git a/autofs-5.1.0-fix-buffer-size-checks-in-get_network_proximity.patch b/autofs-5.1.0-fix-buffer-size-checks-in-get_network_proximity.patch
new file mode 100644
index 0000000..d94daad
--- /dev/null
+++ b/autofs-5.1.0-fix-buffer-size-checks-in-get_network_proximity.patch
@@ -0,0 +1,56 @@
+autofs-5.1.0 - fix buffer size checks in get_network_proximity()
+
+From: Ian Kent <raven at themaw.net>
+
+Add several buffer size checks in get_network_proximity().
+---
+ CHANGELOG | 1 +
+ lib/parse_subs.c | 8 +++++---
+ 2 files changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/CHANGELOG b/CHANGELOG
+index 6977443..86166d7 100644
+--- a/CHANGELOG
++++ b/CHANGELOG
+@@ -10,6 +10,7 @@
+ - fix FILE pointer check in defaults_read_config().
+ - fix memory leak in conf_amd_get_log_options().
+ - fix signed comparison in inet_fill_net().
++- fix buffer size checks in get_network_proximity().
+
+ 04/06/2014 autofs-5.1.0
+ =======================
+diff --git a/lib/parse_subs.c b/lib/parse_subs.c
+index c1648c2..9af5106 100644
+--- a/lib/parse_subs.c
++++ b/lib/parse_subs.c
+@@ -437,7 +437,7 @@ unsigned int get_network_proximity(const char *name)
+ {
+ struct addrinfo hints;
+ struct addrinfo *ni, *this;
+- char name_or_num[NI_MAXHOST];
++ char name_or_num[NI_MAXHOST + 1];
+ unsigned int proximity;
+ char *net;
+ int ret;
+@@ -449,16 +449,18 @@ unsigned int get_network_proximity(const char *name)
+ if (net)
+ strcpy(name_or_num, net);
+ else {
+- char this[NI_MAXHOST];
++ char this[NI_MAXHOST + 1];
+ char *mask;
+
++ if (strlen(name) > NI_MAXHOST)
++ return PROXIMITY_ERROR;
+ strcpy(this, name);
+ if ((mask = strchr(this, '/')))
+ *mask++ = '\0';
+ if (!strchr(this, '.'))
+ strcpy(name_or_num, this);
+ else {
+- char buf[NI_MAXHOST], *new;
++ char buf[NI_MAXHOST + 1], *new;
+ new = inet_fill_net(this, buf);
+ if (!new)
+ return PROXIMITY_ERROR;
diff --git a/autofs-5.1.0-fix-buffer-size-checks-in-merge_options.patch b/autofs-5.1.0-fix-buffer-size-checks-in-merge_options.patch
new file mode 100644
index 0000000..6e3d00f
--- /dev/null
+++ b/autofs-5.1.0-fix-buffer-size-checks-in-merge_options.patch
@@ -0,0 +1,109 @@
+autofs-5.1.0 - fix buffer size checks in merge_options()
+
+From: Ian Kent <raven at themaw.net>
+
+Fix some buffer size overflow checks in merge_options().
+---
+ CHANGELOG | 1 +
+ lib/parse_subs.c | 25 +++++++++++++++++++++----
+ 2 files changed, 22 insertions(+), 4 deletions(-)
+
+diff --git a/CHANGELOG b/CHANGELOG
+index 92657c3..840e099 100644
+--- a/CHANGELOG
++++ b/CHANGELOG
+@@ -12,6 +12,7 @@
+ - fix signed comparison in inet_fill_net().
+ - fix buffer size checks in get_network_proximity().
+ - fix leak in get_network_proximity().
++- fix buffer size checks in merge_options().
+
+ 04/06/2014 autofs-5.1.0
+ =======================
+diff --git a/lib/parse_subs.c b/lib/parse_subs.c
+index 6e9f2d7..6145828 100644
+--- a/lib/parse_subs.c
++++ b/lib/parse_subs.c
+@@ -886,11 +886,11 @@ static char *hasopt(const char *str, const char *opt)
+
+ char *merge_options(const char *opt1, const char *opt2)
+ {
+- char str[MAX_OPTIONS_LEN];
+- char result[MAX_OPTIONS_LEN];
+- char neg[MAX_OPTION_LEN];
++ char str[MAX_OPTIONS_LEN + 1];
++ char result[MAX_OPTIONS_LEN + 1];
++ char neg[MAX_OPTION_LEN + 1];
+ char *tok, *ptr = NULL;
+- size_t len;
++ size_t resultlen, len;
+
+ if ((!opt1 || !*opt1) && (!opt2 || !*opt2))
+ return NULL;
+@@ -910,9 +910,12 @@ char *merge_options(const char *opt1, const char *opt2)
+ if (!strcmp(opt1, opt2))
+ return strdup(opt1);
+
++ if (strlen(str) > MAX_OPTIONS_LEN)
++ return NULL;
+ memset(result, 0, sizeof(result));
+ strcpy(str, opt1);
+
++ resultlen = 0;
+ tok = strtok_r(str, ",", &ptr);
+ while (tok) {
+ const char *this = (const char *) tok;
+@@ -920,12 +923,15 @@ char *merge_options(const char *opt1, const char *opt2)
+ if (eq) {
+ *eq = '\0';
+ if (!hasopt(opt2, this)) {
++ if (resultlen + strlen(this) > MAX_OPTIONS_LEN)
++ return NULL;
+ *eq = '=';
+ if (!*result)
+ strcpy(result, this);
+ else
+ strcat(result, this);
+ strcat(result, ",");
++ resultlen += strlen(this) + 1;
+ goto next;
+ }
+ }
+@@ -946,10 +952,14 @@ char *merge_options(const char *opt1, const char *opt2)
+ goto next;
+
+ if (!strncmp(this, "no", 2)) {
++ if (strlen(this + 2) > MAX_OPTION_LEN)
++ return NULL;
+ strcpy(neg, this + 2);
+ if (hasopt(opt2, neg))
+ goto next;
+ } else {
++ if ((strlen(this) + 2) > MAX_OPTION_LEN)
++ return NULL;
+ strcpy(neg, "no");
+ strcat(neg, this);
+ if (hasopt(opt2, neg))
+@@ -959,15 +969,22 @@ char *merge_options(const char *opt1, const char *opt2)
+ if (hasopt(opt2, tok))
+ goto next;
+
++ if (resultlen + strlen(this) + 1 > MAX_OPTIONS_LEN)
++ return NULL;
++
+ if (!*result)
+ strcpy(result, this);
+ else
+ strcat(result, this);
+ strcat(result, ",");
++ resultlen =+ strlen(this) + 1;
+ next:
+ tok = strtok_r(NULL, ",", &ptr);
+ }
+
++ if (resultlen + strlen(opt2) > MAX_OPTIONS_LEN)
++ return NULL;
++
+ if (!*result)
+ strcpy(result, opt2);
+ else
diff --git a/autofs-5.1.0-fix-compile-error-in-defaults_c.patch b/autofs-5.1.0-fix-compile-error-in-defaults_c.patch
new file mode 100644
index 0000000..cba6f72
--- /dev/null
+++ b/autofs-5.1.0-fix-compile-error-in-defaults_c.patch
@@ -0,0 +1,35 @@
+autofs-5.1.0 - fix compile error in defaults.c
+
+From: Ian Kent <raven at themaw.net>
+
+Puzzling, suddenly I'm getting a compile error for defaults.c due
+to a lack of including stdarg.h.
+---
+ CHANGELOG | 4 ++++
+ lib/defaults.c | 1 +
+ 2 files changed, 5 insertions(+)
+
+diff --git a/CHANGELOG b/CHANGELOG
+index 5a5964d..58b94dc 100644
+--- a/CHANGELOG
++++ b/CHANGELOG
+@@ -1,3 +1,7 @@
++??/??/2014 autofs-5.1.1
++=======================
++- fix compile error in defaults.c.
++
+ 04/06/2014 autofs-5.1.0
+ =======================
+ - fix mistake in assignment.
+diff --git a/lib/defaults.c b/lib/defaults.c
+index 2b03ea2..d29a976 100644
+--- a/lib/defaults.c
++++ b/lib/defaults.c
+@@ -20,6 +20,7 @@
+ #include <string.h>
+ #include <sys/utsname.h>
+ #include <sys/stat.h>
++#include <stdarg.h>
+
+ #include "config.h"
+ #include "list.h"
diff --git a/autofs-5.1.0-fix-config-entry-read-buffer-not-checked.patch b/autofs-5.1.0-fix-config-entry-read-buffer-not-checked.patch
new file mode 100644
index 0000000..edb931a
--- /dev/null
+++ b/autofs-5.1.0-fix-config-entry-read-buffer-not-checked.patch
@@ -0,0 +1,49 @@
+autofs-5.1.0 - fix config entry read buffer not checked
+
+From: Ian Kent <raven at themaw.net>
+
+Check the length of config file line read in and report truncation
+if it was too long.
+---
+ CHANGELOG | 1 +
+ lib/defaults.c | 8 +++++++-
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/CHANGELOG b/CHANGELOG
+index bc8b9d1..21c3ecd 100644
+--- a/CHANGELOG
++++ b/CHANGELOG
+@@ -6,6 +6,7 @@
+ - fix incorrect round robin host detection.
+ - fix race accessing qdn in get_query_dn().
+ - fix leak in cache_push_mapent().
++- fix config entry read buffer not checked.
+
+ 04/06/2014 autofs-5.1.0
+ =======================
+diff --git a/lib/defaults.c b/lib/defaults.c
+index d29a976..a83dcee 100644
+--- a/lib/defaults.c
++++ b/lib/defaults.c
+@@ -835,7 +835,7 @@ static int parse_line(char *line, char **sec, char **res, char **value)
+
+ static int read_config(unsigned int to_syslog, FILE *f, const char *name)
+ {
+- char buf[MAX_LINE_LEN];
++ char buf[MAX_LINE_LEN + 2];
+ char secbuf[MAX_SECTION_NAME];
+ char *new_sec;
+ char *res;
+@@ -843,6 +843,12 @@ static int read_config(unsigned int to_syslog, FILE *f, const char *name)
+ new_sec = NULL;
+ while ((res = fgets(buf, MAX_LINE_LEN, f))) {
+ char *sec, *key, *value;
++
++ if (strlen(res) > MAX_LINE_LEN) {
++ message(to_syslog, "%s was truncated, ignored", res);
++ continue;
++ }
++
+ sec = key = value = NULL;
+ if (!parse_line(res, &sec, &key, &value))
+ continue;
diff --git a/autofs-5.1.0-fix-copy-and-paste-error-in-dup_defaults_entry.patch b/autofs-5.1.0-fix-copy-and-paste-error-in-dup_defaults_entry.patch
new file mode 100644
index 0000000..353ff99
--- /dev/null
+++ b/autofs-5.1.0-fix-copy-and-paste-error-in-dup_defaults_entry.patch
@@ -0,0 +1,35 @@
+autofs-5.1.0 - fix copy and paste error in dup_defaults_entry()
+
+From: Ian Kent <ikent at redhat.com>
+
+
+---
+ CHANGELOG | 1 +
+ modules/parse_amd.c | 2 +-
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/CHANGELOG b/CHANGELOG
+index 4e00929..cb74c60 100644
+--- a/CHANGELOG
++++ b/CHANGELOG
+@@ -18,6 +18,7 @@
+ - check host macro is set before use.
+ - check options length before use in parse_amd.c.
+ - fix some out of order evaluations in parse_amd.c.
++- fix copy and paste error in dup_defaults_entry().
+
+ 04/06/2014 autofs-5.1.0
+ =======================
+diff --git a/modules/parse_amd.c b/modules/parse_amd.c
+index c4992c1..a912385 100644
+--- a/modules/parse_amd.c
++++ b/modules/parse_amd.c
+@@ -1631,7 +1631,7 @@ static struct amd_entry *dup_defaults_entry(struct amd_entry *defaults)
+ entry->rfs = tmp;
+ }
+
+- if (defaults->rhost && *defaults->rfs) {
++ if (defaults->rhost && *defaults->rhost) {
+ tmp = strdup(defaults->rhost);
+ if (tmp)
+ entry->rhost = tmp;
diff --git a/autofs-5.1.0-fix-incorrect-round-robin-host-detection.patch b/autofs-5.1.0-fix-incorrect-round-robin-host-detection.patch
new file mode 100644
index 0000000..b3f05cf
--- /dev/null
+++ b/autofs-5.1.0-fix-incorrect-round-robin-host-detection.patch
@@ -0,0 +1,35 @@
+autofs-5.1.0 - fix incorrect round robin host detection
+
+From: Ian Kent <raven at themaw.net>
+
+
+---
+ CHANGELOG | 1 +
+ modules/replicated.c | 2 +-
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/CHANGELOG b/CHANGELOG
+index ece8c5c..1b4e2fe 100644
+--- a/CHANGELOG
++++ b/CHANGELOG
+@@ -3,6 +3,7 @@
+ - fix compile error in defaults.c.
+ - add serialization to sasl init.
+ - dont allocate dev_ctl_ops too early.
++- fix incorrect round robin host detection.
+
+ 04/06/2014 autofs-5.1.0
+ =======================
+diff --git a/modules/replicated.c b/modules/replicated.c
+index 0c1a8a7..32860d5 100644
+--- a/modules/replicated.c
++++ b/modules/replicated.c
+@@ -946,7 +946,7 @@ try_name:
+ }
+
+ this = ni;
+- while (this->ai_next) {
++ while (this) {
+ if (this->ai_family == AF_INET) {
+ struct sockaddr_in *addr = (struct sockaddr_in *) this->ai_addr;
+ if (addr->sin_addr.s_addr != INADDR_LOOPBACK)
diff --git a/autofs-5.1.0-fix-leak-in-cache_push_mapent.patch b/autofs-5.1.0-fix-leak-in-cache_push_mapent.patch
new file mode 100644
index 0000000..232de8a
--- /dev/null
+++ b/autofs-5.1.0-fix-leak-in-cache_push_mapent.patch
@@ -0,0 +1,36 @@
+autofs-5.1.0 - fix leak in cache_push_mapent()
+
+From: Ian Kent <raven at themaw.net>
+
+cache_push_mapent() incorectly sets the cache entry mapent to the old
+value which causes a memory leak when the new map entry isn't NULL.
+---
+ CHANGELOG | 1 +
+ lib/cache.c | 2 +-
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/CHANGELOG b/CHANGELOG
+index e911682..bc8b9d1 100644
+--- a/CHANGELOG
++++ b/CHANGELOG
+@@ -5,6 +5,7 @@
+ - dont allocate dev_ctl_ops too early.
+ - fix incorrect round robin host detection.
+ - fix race accessing qdn in get_query_dn().
++- fix leak in cache_push_mapent().
+
+ 04/06/2014 autofs-5.1.0
+ =======================
+diff --git a/lib/cache.c b/lib/cache.c
+index 8d08094..4bab5a3 100644
+--- a/lib/cache.c
++++ b/lib/cache.c
+@@ -203,7 +203,7 @@ int cache_push_mapent(struct mapent *me, char *mapent)
+
+ s->mapent = me->mapent;
+ s->age = me->age;
+- me->mapent = mapent;
++ me->mapent = new;
+
+ if (me->stack)
+ s->next = me->stack;
diff --git a/autofs-5.1.0-fix-leak-in-get_network_proximity.patch b/autofs-5.1.0-fix-leak-in-get_network_proximity.patch
new file mode 100644
index 0000000..2cdca78
--- /dev/null
+++ b/autofs-5.1.0-fix-leak-in-get_network_proximity.patch
@@ -0,0 +1,39 @@
+autofs-5.1.0 - fix leak in get_network_proximity()
+
+From: Ian Kent <raven at themaw.net>
+
+Fix variable net not freed after use in get_network_proximity().
+---
+ CHANGELOG | 1 +
+ lib/parse_subs.c | 5 +++--
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/CHANGELOG b/CHANGELOG
+index 86166d7..92657c3 100644
+--- a/CHANGELOG
++++ b/CHANGELOG
+@@ -11,6 +11,7 @@
+ - fix memory leak in conf_amd_get_log_options().
+ - fix signed comparison in inet_fill_net().
+ - fix buffer size checks in get_network_proximity().
++- fix leak in get_network_proximity().
+
+ 04/06/2014 autofs-5.1.0
+ =======================
+diff --git a/lib/parse_subs.c b/lib/parse_subs.c
+index 9af5106..6e9f2d7 100644
+--- a/lib/parse_subs.c
++++ b/lib/parse_subs.c
+@@ -446,9 +446,10 @@ unsigned int get_network_proximity(const char *name)
+ return PROXIMITY_ERROR;
+
+ net = get_network_number(name);
+- if (net)
++ if (net) {
+ strcpy(name_or_num, net);
+- else {
++ free(net);
++ } else {
+ char this[NI_MAXHOST + 1];
+ char *mask;
+
diff --git a/autofs-5.1.0-fix-leak-in-parse_mount.patch b/autofs-5.1.0-fix-leak-in-parse_mount.patch
new file mode 100644
index 0000000..a72b02a
--- /dev/null
+++ b/autofs-5.1.0-fix-leak-in-parse_mount.patch
@@ -0,0 +1,36 @@
+autofs-5.1.0 - fix leak in parse_mount()
+
+From: Ian Kent <ikent at redhat.com>
+
+Fix a potential memory leak of the allocated mount location
+in modules/parse_sun.c:parse_mount().
+---
+ modules/parse_sun.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/modules/parse_sun.c b/modules/parse_sun.c
+index 1fdea0b..b881ee9 100644
+--- a/modules/parse_sun.c
++++ b/modules/parse_sun.c
+@@ -1567,7 +1567,10 @@ int parse_mount(struct autofs_point *ap, const char *name,
+ */
+ if ((strstr(options, "fstype=autofs") &&
+ strstr(options, "hosts"))) {
+- loc = NULL;
++ if (loc) {
++ free(loc);
++ loc = NULL;
++ }
+ loclen = 0;
+ } else {
+ loclen = strlen(loc);
+@@ -1591,7 +1594,8 @@ int parse_mount(struct autofs_point *ap, const char *name,
+ rv = sun_mount(ap, ap->path, name, name_len,
+ loc, loclen, options, ctxt);
+
+- free(loc);
++ if (loc)
++ free(loc);
+ free(options);
+ pthread_setcancelstate(cur_state, NULL);
+ }
diff --git a/autofs-5.1.0-fix-signed-comparison-in-inet_fill_net.patch b/autofs-5.1.0-fix-signed-comparison-in-inet_fill_net.patch
new file mode 100644
index 0000000..5d447db
--- /dev/null
+++ b/autofs-5.1.0-fix-signed-comparison-in-inet_fill_net.patch
@@ -0,0 +1,36 @@
+autofs-5.1.0 - fix signed comparison in inet_fill_net()
+
+From: Ian Kent <raven at themaw.net>
+
+Fix the less than 0 comparison of an incorrectly declared var in
+inet_fill_net().
+---
+ CHANGELOG | 1 +
+ lib/parse_subs.c | 2 +-
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/CHANGELOG b/CHANGELOG
+index f5bbb34..6977443 100644
+--- a/CHANGELOG
++++ b/CHANGELOG
+@@ -9,6 +9,7 @@
+ - fix config entry read buffer not checked.
+ - fix FILE pointer check in defaults_read_config().
+ - fix memory leak in conf_amd_get_log_options().
++- fix signed comparison in inet_fill_net().
+
+ 04/06/2014 autofs-5.1.0
+ =======================
+diff --git a/lib/parse_subs.c b/lib/parse_subs.c
+index d3dfa57..c1648c2 100644
+--- a/lib/parse_subs.c
++++ b/lib/parse_subs.c
+@@ -378,7 +378,7 @@ unsigned int get_proximity(struct sockaddr *host_addr)
+ static char *inet_fill_net(const char *net_num, char *net)
+ {
+ char *np;
+- unsigned int dots = 3;
++ int dots = 3;
+
+ if (strlen(net_num) > INET_ADDRSTRLEN)
+ return NULL;
diff --git a/autofs-5.1.0-fix-some-out-of-order-evaluations-in-parse_amd_c.patch b/autofs-5.1.0-fix-some-out-of-order-evaluations-in-parse_amd_c.patch
new file mode 100644
index 0000000..1edd0dc
--- /dev/null
+++ b/autofs-5.1.0-fix-some-out-of-order-evaluations-in-parse_amd_c.patch
@@ -0,0 +1,107 @@
+autofs-5.1.0 - fix some out of order evaluations in parse_amd.c
+
+From: Ian Kent <ikent at redhat.com>
+
+Fix some check contents before NULL check ordering in modules/parse_amd.c.
+---
+ CHANGELOG | 1 +
+ modules/parse_amd.c | 33 ++++++++++++++-------------------
+ 2 files changed, 15 insertions(+), 19 deletions(-)
+
+diff --git a/CHANGELOG b/CHANGELOG
+index 81aadca..4e00929 100644
+--- a/CHANGELOG
++++ b/CHANGELOG
+@@ -17,6 +17,7 @@
+ - add return check in ldap check_map_indirect().
+ - check host macro is set before use.
+ - check options length before use in parse_amd.c.
++- fix some out of order evaluations in parse_amd.c.
+
+ 04/06/2014 autofs-5.1.0
+ =======================
+diff --git a/modules/parse_amd.c b/modules/parse_amd.c
+index 6764152..c4992c1 100644
+--- a/modules/parse_amd.c
++++ b/modules/parse_amd.c
+@@ -1226,13 +1226,12 @@ static unsigned int validate_auto_options(unsigned int logopt,
+ * left blank the mount must be expected to fail so don't
+ * report the error.
+ */
+- if (!*entry->fs)
+- return 0;
+- else if (!entry->fs) {
++ if (!entry->fs) {
+ error(logopt, MODPREFIX
+ "%s: file system not given", entry->type);
+ return 0;
+- }
++ } else if (!*entry->fs)
++ return 0;
+ return 1;
+ }
+
+@@ -1255,13 +1254,12 @@ static unsigned int validate_nfs_options(unsigned int logopt,
+ * expected to fail.
+ */
+ if (!entry->rfs || !*entry->rfs) {
+- if (!*entry->rfs)
++ if (entry->rfs && !*entry->rfs)
+ return 0;
+ /* Map option fs has been intentionally left blank */
+ if (entry->fs && !*entry->fs)
+ return 0;
+- if (entry->fs)
+- entry->rfs = strdup(entry->fs);
++ entry->rfs = strdup(entry->fs);
+ if (!entry->rfs) {
+ error(logopt, MODPREFIX
+ "%s: remote file system not given", entry->type);
+@@ -1285,24 +1283,22 @@ static unsigned int validate_generic_options(unsigned int logopt,
+ * expected to fail so don't report the error.
+ */
+ if (fstype != AMD_MOUNT_TYPE_LOFS) {
+- if (!*entry->dev)
+- return 0;
+- else if (!entry->dev) {
++ if (!entry->dev) {
+ error(logopt, MODPREFIX
+ "%s: mount device not given", entry->type);
+ return 0;
+- }
+- } else {
+- if (!*entry->rfs)
++ } else if (!*entry->dev)
+ return 0;
+- else if (!entry->rfs) {
++ } else {
++ if (!entry->rfs) {
+ /*
+ * Can't use entry->type as the mount type to reprot
+ * the error since entry->type == "bind" not "lofs".
+ */
+ error(logopt, "lofs: mount device not given");
+ return 0;
+- }
++ } else if (!*entry->rfs)
++ return 0;
+ }
+ if (entry->sublink && !entry->fs) {
+ error(logopt, MODPREFIX
+@@ -1337,13 +1333,12 @@ static unsigned int validate_host_options(unsigned int logopt,
+ * if it isn't given in the map entry. Don't report an error
+ * if it has been left empty since it's expected to fail.
+ */
+- if (!*entry->rhost)
+- return 0;
+- else if (!entry->rhost) {
++ if (!entry->rhost) {
+ error(logopt, MODPREFIX
+ "%s: remote host name not given", entry->type);
+ return 0;
+- }
++ } else if (!*entry->rhost)
++ return 0;
+ return 1;
+ }
+
diff --git a/autofs.spec b/autofs.spec
index 506a0ce..37838c9 100644
--- a/autofs.spec
+++ b/autofs.spec
@@ -8,11 +8,31 @@
Summary: A tool for automatically mounting and unmounting filesystems
Name: autofs
Version: 5.1.0
-Release: 2%{?dist}
+Release: 3%{?dist}
Epoch: 1
License: GPLv2+
Group: System Environment/Daemons
Source: ftp://ftp.kernel.org/pub/linux/daemons/autofs/v5/autofs-%{version}.tar.gz
+Patch1: autofs-5.1.0-fix-compile-error-in-defaults_c.patch
+Patch2: autofs-5.1.0-add-serialization-to-sasl-init.patch
+Patch3: autofs-5.1.0-dont-allocate-dev_ctl_ops-too-early.patch
+Patch4: autofs-5.1.0-fix-incorrect-round-robin-host-detection.patch
+Patch5: autofs-5.0.9-fix-race-accessing-qdn-in-get_query_dn.patch
+Patch6: autofs-5.1.0-fix-leak-in-cache_push_mapent.patch
+Patch7: autofs-5.1.0-fix-config-entry-read-buffer-not-checked.patch
+Patch8: autofs-5.0.1-fix-FILE-pointer-check-in-defaults_read_config.patch
+Patch9: autofs-5.0.1-fix-memory-leak-in-conf_amd_get_log_options.patch
+Patch10: autofs-5.1.0-fix-signed-comparison-in-inet_fill_net.patch
+Patch11: autofs-5.1.0-fix-buffer-size-checks-in-get_network_proximity.patch
+Patch12: autofs-5.1.0-fix-leak-in-get_network_proximity.patch
+Patch13: autofs-5.1.0-fix-buffer-size-checks-in-merge_options.patch
+Patch14: autofs-5.1.0-check-amd-lex-buffer-len-before-copy.patch
+Patch15: autofs-5.1.0-add-return-check-in-ldap-check_map_indirect.patch
+Patch16: autofs-5.1.0-check-host-macro-is-set-before-use.patch
+Patch17: autofs-5.1.0-check-options-length-before-use-in-parse_amd_c.patch
+Patch18: autofs-5.1.0-fix-some-out-of-order-evaluations-in-parse_amd_c.patch
+Patch19: autofs-5.1.0-fix-copy-and-paste-error-in-dup_defaults_entry.patch
+Patch20: autofs-5.1.0-fix-leak-in-parse_mount.patch
Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
%if %{with_systemd}
BuildRequires: systemd-units
@@ -70,6 +90,26 @@ echo %{version}-%{release} > .version
%define unitdir %{?_unitdir:/usr/lib/systemd/system}
%define systemd_configure_arg --with-systemd
%endif
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1
+%patch5 -p1
+%patch6 -p1
+%patch7 -p1
+%patch8 -p1
+%patch9 -p1
+%patch10 -p1
+%patch11 -p1
+%patch12 -p1
+%patch13 -p1
+%patch14 -p1
+%patch15 -p1
+%patch16 -p1
+%patch17 -p1
+%patch18 -p1
+%patch19 -p1
+%patch20 -p1
%build
LDFLAGS=-Wl,-z,now
@@ -162,6 +202,27 @@ fi
%dir /etc/auto.master.d
%changelog
+* Mon Jul 7 2014 Ian Kent <ikent at redhat.com> - 1:5.1.0-3
+- fix compile error in defaults.c.
+- add serialization to sasl init.
+- dont allocate dev_ctl_ops too early.
+- fix incorrect round robin host detection.
+- fix race accessing qdn in get_query_dn().
+- fix leak in cache_push_mapent().
+- fix config entry read buffer not checked.
+- fix FILE pointer check in defaults_read_config().
+- fix memory leak in conf_amd_get_log_options().
+- fix signed comparison in inet_fill_net().
+- fix buffer size checks in get_network_proximity().
+- fix leak in get_network_proximity().
+- fix buffer size checks in merge_options().
+- check amd lex buffer len before copy.
+- add return check in ldap check_map_indirect().
+- check host macro is set before use.
+- check options length before use in parse_amd.c.
+- fix some out of order evaluations in parse_amd.c.
+- fix copy and paste error in dup_defaults_entry().
+
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 1:5.1.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
More information about the scm-commits
mailing list